Yesterday the judgment of the Court of Justice of the European Union in a Bulgarian case regarding general and undifferentiated retention of traffic data and location data by providers of electronic communications services was made public.

Machine translation of the decision in C-350/21 Spetsializirana prokuratura (blue marking be me):

1) On those grounds, the Court (Sixth Chamber) ruled
Article 15(1) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), as amended by Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009, read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter of fundamental rights of the European Union

must be interpreted as precluding :

– national legislation providing, as a preventive measure, for the purpose of combating serious crime and preventing serious threats to public security, for the general and undifferentiated retention of traffic and location data, even if that legislation limits such general and undifferentiated retention to a period of six months and provides for a number of safeguards relating to the retention of and access to the data in question;
– national legislation which does not provide, in a clear and precise manner, that access to the retained data is limited to what is strictly necessary to achieve the purpose of that retention.

2) Article 15(1) of Directive 2002/58, as amended by Directive 2009/136, read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter of Fundamental Rights, and Articles 13 and 54 of Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data by the competent authorities for the purpose of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA

must be interpreted as meaning that :

they preclude national legislation providing for access by national authorities responsible for criminal investigations to lawfully stored traffic and location data without ensuring that persons whose data have been accessed by those national authorities are informed to the extent provided for by Union law, and without providing them with a remedy against unlawful access to those data.

This is an important judgment in the light of the anti-money laundering legislation in preparation by the European Commission (the AML-Package, introduction [EN], articles [NL, EN]).

The Dutch government would do well to include the ruling in the preparation of the system of joint monitoring of transactions by banks (the bank dragnet, ‘het bancaire sleepnet’) and other anti-money laundering regulations.

More information:

• Judgment in case C‑350/21, ECLI:EU:C:2022:896, currently only in French and Bulgarian. Also on EUR-Lex.
• Summary of the request, English, Dutch.
• General information on the request in Dutch, ECER.